Compliance in Microsoft Cloud for Healthcare
Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, Microsoft Power Platform, and Microsoft Fabric services and their underlying infrastructure employ a security framework. This framework encompasses industry best practices and spans multiple standards, including the ISO 27000 family of standards, NIST 800, and others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified third-party accredited assessors.
The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act). It incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI (Payment Card Industry) DSS (Data Security Standard), ISO 27001, EU privacy laws and regulations, NIST, and MARS-E. HITRUST provides a benchmark - A standardized compliance framework, assessment, and certification process against which cloud service providers and covered health entities can measure compliance.
Microsoft is one of the first hyperscale cloud service providers to receive certification for the HITRUST CSF. HIPAA Business Associate Agreement (BAA) clarifies and limits how the business associate (Microsoft) can handle protected health information (PHI). It outlines more terms for each party related to the security and privacy provisions outlined in HIPAA and the HITECH Act. The BAA is automatically included as part of the Online Services Terms and applies to customers who are covered entities or business associates and are storing PHI.
The qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, and Azure are found in the Online Service Terms and the Microsoft Privacy Statement.
Microsoft Cloud for Healthcare and Online Services (such as Office 365, Dynamics 365, Power Platform, Azure, and Microsoft Fabric) (together, "Microsoft Cloud for Healthcare"):
aren't intended or made available as medical devices.
aren't designed or intended to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness. No license or right is granted by Microsoft to use the online services for such purposes.
aren't designed or intended to be a substitute for professional medical advice, diagnosis, treatment, or judgment and shouldn't be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. Customer shouldn't use Microsoft Cloud for Healthcare as a medical device. To the extent customer makes Microsoft Cloud for Healthcare available as a medical device, or puts it into service for such a use, customer is solely responsible for such use and acknowledges that it would be the legal manufacturer in respect of any such use. Customer is solely responsible for displaying and/or obtaining appropriate consents, warnings, disclaimers, and acknowledgments to end users of customer’s implementation of Microsoft Cloud for Healthcare. Customer is solely responsible for any use of Microsoft Cloud for Healthcare to collate, store, transmit, process, or present any data or information from any third-party products (including medical devices).
You can learn more about Microsoft’s commitments to data protection and privacy by visiting our Trust Center.
In-scope regulations for Microsoft services
| Service | HITRUST | EU privacy laws and regulations | SOC 1 | SOC 2 | ISO 27017 | ISO 27001 |
|---|---|---|---|---|---|---|
| Azure Data Lake Storage Gen2 | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure AI Health Bot | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Health Data Services | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Healthcare APIs | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure IoT Hub | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Synapse Analytics | Yes | Yes | Yes | Yes | Yes | Yes |
| Chat Add in for Dynamics 365 Customer Service (Omnichannel for Customer Service) | Yes | Yes | Yes | Yes | Yes | Yes |
| Customer Service Insights Add in for Microsoft Dynamics 365 Customer Service | Yes | Yes | Yes | Yes | Yes | Yes |
| Dataverse | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Insights - Data | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Insights - Journeys | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Service | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Voice | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Field Service | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Sales | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft Purview | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft Teams | Yes | Yes | Yes | Yes | Yes | Yes |
| Power Apps | Yes | Yes | Yes | Yes | Yes | Yes |
| Power Automate | Yes | Yes | Yes | Yes | Yes | Yes |
| Power BI | Yes | Yes | Yes | Yes | Yes | Yes |
Healthcare data solutions in Microsoft Fabric
To review the compliance information for healthcare data solutions in Microsoft Fabric, see Compliance and security in healthcare data solutions in Microsoft Fabric.